If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hybrid View

Undetectable Backdoor Encoding with Metasploit Framework

Today we are gonna be encoding backdoors using metasploit framwork on Backtrack 5!

First we take a look at crafting a simple payload into a backdoor, and when loading it into a sandbox (Windows XP) the anti-virus doesn’t even allow the file to be downloaded.

Well, that’s not any good is it? Who’s gonna open the file if there are flags all over it?

So we have to make this file undetectable, at least to the client’s anti-virus which is Avast. Recently I found a public script in Pastebin and after looking at it for a few minutes, I thought the file was really legit. Especially after seeing all the encoding going on at line 43… so I modified it for my own use — big ups to Astrobaby, don’t know who you are or where you’re from but keep it up!

Run metasploit framework console, use the exploit/multi/handler method, and set the payload to windows/meterpreter/reverse_https. It is also a good idea to use the ‘launch_and_migrate.rb’ script, so we can migrate to a new process as soon as we get a chance. We encoded that backdoor like 1000 times so it can’t be that stable.

Now with an undetectable backdoor we just get creative and find a way to send it to the victim.

Re: Undetectable Backdoor Encoding with Metasploit Framework

hi,manijak
the script worked fine! i'm use bt5-r2 too...if you have installed (todos migw32..ecc)try to copy vanish.sh in metasploit 4.3.0-dev directory!
/opt/metasploit/msf3 or create link then me /pentest/exploit/framework

Re: Undetectable Backdoor Encoding with Metasploit Framework

ok I go cd /pentest/exploits/framework2 (yes name of my folder is framework2 o.0) >ls> I can see vanish.sh I made it executable > ./vanish > interface:etho1 >port:4444 > random number 6000 > encode 5 > and same thing as manijak